Something must be done about these IIS exploits. I'm brainstorming now on writing a daemon that identifys these exploit requests and then drops them at the firewall.
Ah. You mean something like Snort with Guardian?
There's even an Apache mod that can block and reply AFAIK, dunno name tho.

I've heard of those but I was thinking of something more along the lines of a daemon that runs and not only blocks access on the server, but also can connect to people running the LIFE client and let them know what servers are infected as well. Still a lot of things to work out in my head and I'm not sure if its even feasable or worth while.

() but also can connect to people running the LIFE client and let them know what servers are infected as well.
Hmm. Such services exist like for instance Dshield or myNetWatchman. Anyway, if it's done on a massive global scale (like with all TLDs represented) and if it's got good integration with other forms of alerting (look for instance at how Prelude IDS tries to do this on a micro scale) the better chances are it'll be usefull. For instance it could be a nice tool to graph/signal outbreaks 'n stuff.
OTOH if it lacks support, overview, or would show how in detail how all 'leet Roadrunner users scan the rest of the globe it wouldn't be interesting for long.

Anyway, good luck, and keep us posted if you come up with something in the works.

well well atleast i know my firewall works =)
I don't know what the previous page says but it sure made my fw
lit up.
Thnx for the help now atleast i don't need more coffee to stay awake
hm now it gets interesting,should i or shouldn't i shut down the fw and take a peek? lol

Crashed_Again, dont worry every web server on the net has these same problems. I am managing some university systems and will soon just not log these attempts at all.

Can we do that using the level on the apache error_log?????

I wish it were legal to retaliate against the scipt kiddies out there or against infected boxes. That way you could shut them down so they wouldnt be a problem to anyone on the net and the admin of the box or owner would have to suffer the consequences of not upgrading or patching their software. heh
As far as retaliating against script kiddies. I think that should be perfectly legal. Like when someone Sub 7 scans you 1000 times. THat happened to me the other day. So I netsent him a nice message about 100 times and he backed off realizing he was a noob.
Sincerely,
Lord Rashid

I wish it were legal to retaliate against the scipt kiddies out there or against infected boxes.
I don't see any form of legislation holding you back anyway. You're an expert on skiddies based on, what*? Besides, isn't "hunting" skiddies a waste of time and cycles, since they'll just move on to another src IP and other targets just as easily?

THat happened to me the other day. So I netsent him a nice message about 100 times
...which I'm sure you didn't do manually, which makes you a what?


*see for instance Rating The Enemy.

I had the same problem with Comcast domains.... I called comcast to say that I used a firewall utility to detect code red/nimda queries... I told them I wanted a refund until they made others on the subnet apply the patch to fix their machines. They were using up my valuable bandwidth......

3 days later an email was sent to all comcast users explaining what the worms were and where to get the patch.

Didn't help though, so I drop all incoming packets from 68.80.0.0 and never looked back.

So, how do you know it's a script kiddie working from their own machine and not an infected machine? Sure, people who don't completely secure their machines are part of the problem, but just because grandma doesn't know anything about security or linux doesn't mean you have any more right to crash her computer than a skiddie does. Just block the crap, put the offending computer in your TCP wrapper, and get on with your life.

I know it was a script kiddie b/c I had been attacked by them and UDP scanned about 100 times previously in the past. They are located in Northern China and I've had countless other types of attacks from them. I was just never at my computer to retaliate before. They had attempted to UDP scan me, Sub Seven, Back Office, Nimbda, Stack BO, etc. Also there were no ports open on their computer that would allow for a bounce attack to occur.
Sincerely,
Lord-Rashid

hey with the net send, i didnt know you could send someone a message outside the private network.

is it just netsend (their ip) Hello World

Yup, thats all there is to it. =)

Guys, i can offer you to read book 'Protection from hackers'. I don't know what is real name of this book in english, but there are 20 hack-stories and answers, how to protect from hackers atacks. It is cool book and in first chapter is a simple story of hacking Windows.

123.456.789.987/sripts/../../winnt/system32/cmd.exe /c+dir+c:\

it is command to see C:\ directory

yea it's published by McGraw Hill Osborne, good book